HIPAA is one of the most widely known data security frameworks across industries. Formulated to enforce privacy, security, and accountability for healthcare information, HIPAA covers most organizations working with patient data. If you are a covered entity under the privacy rule, you are responsible for complying with HIPAA.
As a practice owner, you are responsible for all your patient data. If an employee or a vendor loses patient data, you could be in trouble for it. For HIPAA noncompliance, the Office for Civil Rights (OCR) will first try for voluntary compliance, any corrective action and/or resolution agreement. If these measures fail, the agency can impose civil penalties and even refer the case to the Department Of Justice for criminal investigation.
Penalties for Civil Violations
Civil violations are classified into four categories:
- Reasonable cost but not willful
- Willful neglect but action corrected within the time period
- Willful neglect and action not corrected within the required time period
The monetary penalty can be as low as $100 per violation or as high as $1.5 million in a year for each type of violation. Repeated instances of the same violation can attract higher penalties than they would otherwise.
Criminal violations happen when a covered entity knowingly obtains or discloses identifiable health information. Obtaining that data under false pretenses have more severe penalties including prison time.
Based on the different types of civil violations, you can see that it is entirely possible for a practice to accidentally violate privacy provisions. Consider a few examples like the ones below:
- An employee shares a sarcastic comment about a patient’s restorative work on Facebook with pictures
- You lose your phone which has patient data stored on it. The phone does not have a PIN or password, meaning anyone can access it.
- A vendor whose software you use has a data breach and does not inform you about it. Unfortunately, your practice data was also compromised in the breach.
- The hygienist leaves the room while logged into the EDR software. Anyone can access patient files without authorization.
- One of your employees is at a party with a friend who inquires about the status of her relative’s dental work. The worker reveals that information as they don’t know it’s a violation of HIPAA.
- Official posts an unfair review of their dental procedures on a popular website. To repudiate the accusation of shoddy work, you reply with details about their treatment and condition.
As you can see, these kinds of situations happen quite frequently. Whether or not you can be held accountable for the violation and how much you’ll have to pay depends on a variety of factors. If you immediately notify the relevant authorities of the violation, present the pertinent documentation and take steps to correct the situation, the penalties may not be too severe. But if the violation occurs because of willful neglect on your part or you don’t notify the authorities in the required time period, it can cost you thousands of dollars in penalties.
How Can You Avoid This?
The most common violations occur because of a lack of training. Do employees know that they should not reveal patient information in a social situation, on Internet forums etc.? Do you have a policy that specifically outlines the steps to take if someone discloses information they shouldn’t have? Everyone should know the answers to these questions. Compliance training should be specific, focused, and periodic to have any effect. As a dental professional, you can prevent many such violations by implementing specific policies and practices while also training your employees on the relevant compliance measures.